Profiling a Typosquatted Google's Gmail Targeted Phishing Campaign Domain Portfolio - An OSINT Analysis

NOTE:

The majority of these typosquatted phishing domains which are also known to have been used in targeted phishing campaigns are known to have been part of the Void Balaur hacking for hire vendor of services.

I've decided to share with everyone a recently discovered using OSINT typosquatted phishing domains portfolio which appears to have been widely used in a variety of targeted phishing campaigns.

 

Sample domains known to have been involved in the campaign include:

hxxp://my-mail-account-gmail.com

hxxp://security-myaccount-goglemail.com

hxxp://myaccount-mail-my-gmail.com

hxxp://account-mail-my-gmail.com

hxxp://cloud-accounts-goglemail.com

hxxp://my-account-security-goglemail.com

hxxp://mail-yahoo-myaccounts.com

hxxp://mail-yahoo-myaccount.com

hxxp://account-disk-gmail.com

hxxp://my-mail-accounts-gmail.com

hxxp://accounts-mail-my-gmail.com

hxxp://mail-my-accounts-gmail.com

hxxp://myaccount-mail-goglemail.com

hxxp://accounts-oauth-gmail.com

hxxp://account-oauth-gmail.com

hxxp://account-my-mail-gmail.com

hxxp://mail-myaccounts-gmail.com

hxxp://accounts-mail-goglemail.com

hxxp://mail-myaccount-yahoo.com

hxxp://mail-my-account-gmail.com

hxxp://security-accounts-goglemail.com

hxxp://my-signin-accounts-gmail.com

hxxp://my-signin-account-gmail.com

hxxp://my-oauth-account-gmail.com

hxxp://security-myaccounts-goglemail.com

hxxp://security-my-account-goglemail.com

hxxp://my-security-goglemail.com

hxxp://myaccounts-gmail.com

hxxp://myaccounts-mail-gmail.com

hxxp://accounts-my-mail-gmail.com

hxxp://myaccounts-mail-my-gmail.com

hxxp://my-mail-account-yahoo.com

hxxp://security-my-goglemail.com

hxxp://myaccount-my-mail-gmail.com

hxxp://myaccounts-my-mail-gmail.com

hxxp://cloud-myaccount-goglemail.com

hxxp://my-mail-yahoo-accounts.com

hxxp://mail-yahoo-my-account.com

hxxp://mail-myaccount.com

hxxp://myaccounts-mail-yahoo.com

hxxp://my-mail-gmail.com

hxxp://security-my-accounts-goglemail.com

hxxp://mail-accounts-my-gmail.com

hxxp://yahoo-oauth-accounts.com

hxxp://mysecurity-goglemail.com

Sample responding IPs known to have been participating in the campaign include:

185.246.130.170

194.67.71.102

5.188.206.201

194.58.56.56

194.67.71.197

194.58.56.34

195.3.144.231

194.67.71.61

195.3.146.111

195.3.146.100

194.67.71.142

194.67.71.44

54.241.4.132

195.186.210.241

194.67.71.189

194.67.71.137

194.67.71.3

194.67.71.25

193.105.134.29

194.58.112.169

194.67.71.160

194.67.71.35

194.67.71.17

194.67.71.158

194.67.71.99

194.67.71.123

195.3.146.94

194.58.112.174

95.173.132.1

194.67.71.173

195.3.146.106

185.246.130.165

194.58.112.172

195.3.146.90

99.83.178.7

194.67.71.105

185.246.130.162

194.67.71.162

194.67.71.47

194.67.71.175

75.2.110.227

194.67.71.40

194.58.113.13

194.58.112.170

194.67.71.118

194.67.71.177

195.3.146.99

195.186.208.193

194.58.113.14

194.67.71.73

Stay tuned!

Continue reading →

Data Mining and Visualizing My Old GMail Account - An Analysis

Dear blog readers,

I've decided to touch base with everyone and share with you a screenshot which basically demonstrates a data mined visualization of my old GMail account where I'm currently using a proprietary solution for the purpose of figuring out how different connections with friends and colleagues circa 2008-2013 really worked out in terms of achievements and productivity.

Stay tuned!

Continue reading →

Sample Photos from My Cyber Security Talks Bulgaria Presentation - An Analysis

Dear blog readers,

I've decided to share some personal photos from my Cyber Security Talks Bulgaria presentation which is quite an outstanding event with quite some interesting and good audience where I had the privilege and meet and socialize with fellow researchers and experts and make an outstanding presentation.

Sample photos include:

Sample presentation slides include:

Stay tuned!

Continue reading →

SmokeLoader Themed Malware Serving Campaign Spotted in the Wild - An Analysis

 Dear blog readers,

I've decided to share with everyone some technical details behind a currently circulating malicious software serving campaign that's dropping a SmokeLoader variant on the targeted host and is using a variety of C&C server domains for communication with the malicious attackers.

Sample screenshots include:

Sample campaign structure:

MD5: ccaf26afe7db068aa11331f6c5af14d8

hxxp://host-file-host6.com - 34.106.70.53

hxxp://host-host-file8.com

Sample related responding IPs known to have been involved in the campaign include:

hxxp://176.124.221.9

hxxp://23.48.95.144

hxxp://45.91.8.70

hxxp://185.144.28.175

hxxp://31.44.185.182

hxxp://8.209.65.68

hxxp://45.134.27.228

hxxp://2.16.165.19

hxxp://185.251.89.108

hxxp://195.186.210.241

Stay tuned!

Continue reading →

Massive Malware Serving Campaign Abuses Portmap A Web Based Port Forwarding Solution - An Analysis

Dear blog readers,

In this post I've decided to further profile a currently circulating malicious software and njRAT malware dropping campaign that's using a popular port forwarding solution as a C&C server with the idea to provide everyone with the necessary situational awareness and technical details regarding the campaign.

Sample campaign C&C and associated domains analysis:

MD5: d8191eee2d99a00cb664d100ffc73b9c

hxxp://enderop44-36084.portmap.host - 193.161.193.99 

URL: hxxp://www.cofo.ga/a/KeyOneA.exe

Botnet C&C: hxxp://cofo.ga - hxxp://52.70.248.161; hxxp://193.161.193.99

Sample screenshots include:

Sample VirusTotal Graph regarding the malicious campaign:

Stay tuned!

Continue reading →

Profiling the Limbo Crimeware Malicious Software Release - An Analysis

NOTE:

These screenshots were obtained in 2009 courtesy of me while doing research.

An image is worth a thousand words.

Sample screenshots include:

Stay tuned!

Continue reading →